Forum Discussion
Solved
Does the Intune Management Extension enroll the Windows PC in InTune?
Intune Management Extension fails to install. The device is not visible in InTune. It IS visible in EntraID and Defender. Is the install failing because it's not enrolled in InTune or is it the opposite? This is a remote device, so I don't have direct access.
Looks like it's a GPO issue. The PC isn't getting the InTune Enrollment GPO.
Looks like it's a GPO issue. The PC isn't getting the InTune Enrollment GPO.
Hi Will44
No, the Intune Management Extension (IME) does not enroll a Windows PC in Intune. Enrollment is a separate process handled by the Windows device itself through its built-in Mobile Device Management (MDM) client (like the omadm or mmp-c client you mentioned earlier). This typically happens when a device is either manually enrolled via the Company Portal app, automatically enrolled through Azure AD (now Entra ID) join with MDM auto-enrollment configured, or set up via Windows Autopilot.
The IME is a supplementary component that gets installed after a device is enrolled in Intune. Its purpose is to extend Intune’s capabilities beyond basic MDM functions—allowing things like Win32 app installations, PowerShell script execution, and compliance reporting that the native MDM client can’t handle alone. For the IME to install, the device must already be enrolled in Intune and communicating with the Intune service.
Why is the IME failing to install, and what’s the relationship with enrollment?
Since your device isn’t visible in Intune but is visible in Entra ID and Defender, the most likely scenario is that the device is not enrolled in Intune. Here’s why this matters:1- IME Installation Requires Enrollment: The IME is automatically deployed by Intune to enrolled Windows devices when certain policies (like Win32 apps or PowerShell scripts) are assigned. If the device isn’t enrolled, Intune has no way to push the IME to it, and thus the installation fails—or more accurately, it never even starts.
2- Visibility in Intune: If the device isn’t showing up in the Intune portal (Microsoft Endpoint Manager admin center), it strongly suggests it hasn’t completed the enrollment process. Enrollment would register the device with Intune, making it visible and manageable there.
3- Visibility in Entra ID and Defender: Seeing the device in Entra ID means it’s either Azure AD joined or registered, which is a prerequisite for Intune enrollment if auto-enrollment is configured. Visibility in Defender suggests it’s onboarded to Microsoft Defender for Endpoint (MDE), which can happen independently of Intune enrollment (e.g., via a standalone MDE onboarding script). However, neither of these guarantees Intune enrollment.
Is the IME failing because it’s not enrolled, or is it not enrolled because the IME is failing?
It’s almost certainly the former: the IME is failing to install because the device isn’t enrolled in Intune. The reverse doesn’t make sense—enrollment doesn’t depend on the IME; the IME depends on enrollment. Here’s the likely chain of events:- The device is Azure AD joined (visible in Entra ID).
It’s onboarded to Defender (visible in Defender portal).
But it hasn’t successfully enrolled in Intune, so Intune doesn’t see it and can’t deploy the IME.
Any tips on finding out why it's not enrolling? ...remotely
Most of our Windows PCs enroll just fine, but not this one.
- The device is Azure AD joined (visible in Entra ID).
The Intune Management Extension is the functional agent for Intune management. Think CCM client from SCCM. If it's not installing, it's not going to show up in Intune. How are you deploying?
We don't have CCM or SCCM. How am I deploying what? If you mean the Management Extension, I sent the end user a link and they downloaded and ran it. Devices are set to auto-enroll using group policy.
